Forum Discussion
where does ASM store its policy configuration
was doing some trouble shooting on an ASM config sync issue and couldn't find the actual ASM policy content config anywhere in /config/. there is an entry in bigip.conf but that is just very basic, a few lines. did i overlook something or is it stored somewhere else?
- LyonsG_85618Cirrostratus
I don't belive there is a config file for ASM. What version of TMOS are you running? I have discovered a bug (now with F5) on 11.4.1. When you create a new policy and synchornise to standby unit the policy gets created in default mode. If you then amend policy (even description) and synchronise again this will copy full config over.
from F5 support i was told the config is in the database. ill have a look later on to see if it is readable from.
what do you mean with default mode?
my bug is that the policy didn't sync at all initially. at some point it did, but what triggered it was unclear. there was asm restart done, but also some full config sync.
from what i see in the ltm and asm log, the asm sync is a different process which is triggered during the normal sync.
- LyonsG_85618Cirrostratus
OK I'll try and clarify.
If you create an ASM policy on ACTIVE unit and change everything to blocking you can then synch this over to STANDBY unit.
When you then check policy on STANDBY you will see that no matter what options you have configured on ACTIVE the policy gets created in default mode (i.e. default options/transparent mode).
If you go back to ACTIVE and chnage anything (even policy description) and synchronise again then the correct options gets copied over from ACTIVE to STANDBY.
Does this make sense?
- nitassEmployee
asm stores its configuration, request log, learning suggestion, etc in mysql database.
if you want, you can try to connect to mysql and explorer the database.
sol6979: Managing the MySQL database password for the BIG-IP system
- swo0sh_gt_13163Altostratus
@LyonsG,
Can you please share more information on this behavior? I am facing exactly the same issue as you've described i.e.
OK I'll try and clarify. If you create an ASM policy on ACTIVE unit and change everything to blocking you can then synch this over to STANDBY unit. When you then check policy on STANDBY you will see that no matter what options you have configured on ACTIVE the policy gets created in default mode (i.e. default options/transparent mode). If you go back to ACTIVE and chnage anything (even policy description) and synchronise again then the correct options gets copied over from ACTIVE to STANDBY. Does this make sense?
Is this a bug? Any id given by F5? Can anyone shed some light here?
Thank you, Darshan
- Hannes_RappNimbostratus
It does seem to be an unexpected behavior, as noted by others. As a temporary workaround, you could export the policy as .xml and import it to standby unit; (will be faster than manually applying the changes on both boxes). Cheers.
- swo0sh_gt_13163Altostratus
Yes, that is what I did for now. However mine is a little hard issue.
What happens is, after making any changes to the ACTIVE F5 appliance in affected ASM policy, the "In sync" status isn't getting changed to "Changes pending".
I have modified that particular policy a lot, still the status of the sync shows "In sync". This means everytime I make any changes to the Active appliance, I need to export/import manually, which isn't acceptable.
It is good to note that this behavior is particularly with one ASM policy only, if I remove this policy from the standby appliance and sync again, the affected policy recreates on Standby appliance, with default settings, without any other configuration like Allowed URL, Parameters etc.
Any clue?
- swo0sh_gt_13163Altostratus
Yes, I've tried it at the same time of the test. Didn't work though. :(
- swo0sh_gt_13163Altostratus
Yes, current DG is specified at both of the appliances. I can see this is working, for example if I delete the affected ASM policy from Standby appliance, and do config-sync manually, I can see that removed policy is again created, however with default settings without any other configuration inside.
- passikaran_1962Nimbostratus
i don't belive
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com